Pseudorandom Permutation (PRP)

A Pseudorandom Permutation (PRP) is a basic primitive which allows someone to succinctly sample and represent a permutation which appears to be uniformly randomly selected. The user, who generates the key, can evaluate the permutation over some domain both forward and backward efficiently. These pseudorandom permutations are also the primitive which represents block ciphers, such as [AES].

PRPs were originally defined by [GGM84] and are a basic building block for many more complex primitives such as Symmetric Encryption (SE).

Formal Definition

Syntax

A Pseudorandom Permutation (PRP) is a tuple of efficient functions ${\displaystyle ({\mathsf {Gen}},P,P^{-1})}$, with respect to a keyspace ${\displaystyle {\mathcal {K}}}$ and domain ${\displaystyle {\mathcal {D}}}$ such that:

• ${\displaystyle {\mathsf {Gen}}(1^{\lambda })\to k}$, is a randomized algorithm that takes a security parameter, and outputs a key ${\displaystyle k\in {\mathcal {K}}}$,
• ${\displaystyle P_{k}(x)\to y}$, is a deterministic algorithm that takes a key ${\displaystyle k\in {\mathcal {K}}}$ and input ${\displaystyle x\in {\mathcal {D}}}$, and outputs an element ${\displaystyle y\in {\mathcal {D}}}$,
• ${\displaystyle P_{k}^{-1}(y)\to x}$, is a deterministic algorithm that takes a key ${\displaystyle k\in {\mathcal {K}}}$ and input ${\displaystyle y\in {\mathcal {D}}}$, and outputs a preimage set of element ${\displaystyle x\in {\mathcal {D}}}$.

Typically, we assume that ${\displaystyle |{\mathcal {D}}|}$ is "large," in the sense that it grows exponentially with the security parameter. If instead ${\displaystyle |{\mathcal {D}}|}$ is bounded by some polynomial in the security parameter, then the primitive is a "small-domain" PRP.

Correctness

A PRP is correct if for all ${\displaystyle k}$ and ${\displaystyle x}$, ${\displaystyle P_{k}^{-1}(P_{k}(x))=x}$.

Security

A PRP is secure if for all efficient ${\displaystyle D}$, there exists a negligible function ${\displaystyle \nu }$, such that

${\displaystyle {\big |}\Pr[D^{P_{k},P_{k}^{-1}}(1^{\lambda })=1]-\Pr[D^{\pi ,\pi ^{-1}}(1^{\lambda })=1{\big |}\leq \nu (\lambda ),}$

where ${\displaystyle k\gets {\mathsf {Gen}}(1^{\lambda })}$, ${\displaystyle \pi }$ is a random permutation over ${\displaystyle {\mathcal {D}}}$ (and ${\displaystyle \pi ^{-1}}$ is its inverse).

Relationship to other primitives

• PRFs imply the existence of large-domain PRPs, due to [LR88]
• PRPs imply the existence of large-domain PRFs, due to the switching lemma

Variations

• Truncated PRP
• Injective PRF